So? The assertion is "they're not secure", not "it's easy to become secure".
> While this is generally necessary to leverage the use of features like static file caching, it also means Cloudflare gets to see the billing details and possibly payment information of customers shopping on a Cloudflare protected e-shop.
I tend to trust Cloudflare with this info more than I trust the website itself and their 83 different unpatched WordPress plugins.
You manage risk through balancing security and business requirements. You mitigate the risk you can, you accept the risk you can't (or choose to defer).
Disclaimer: I work in risk. I have these conversations daily. When Cloudflare first published their RPKI marketing site, I thought it was an important issue until doing further research, and have since walked back my personal opinion (which was admittedly overzealous about RPKI initially) on the severity of the issue and the the timeline necessary for action to be taken.
The RKPI RFC is from 2012. Cloudflare's been publishing blog articles like "RPKI - The required cryptographic upgrade to BGP routing" (https://blog.cloudflare.com/rpki/) for years now.
That's a silly assertion. What percentage of residential ISP customers do you think are aware at all of RPKI?
Cloudflare's "is BGP safe" page is intended to highlight the ISPs that are deferring RPKI. If you claim customers are making an educated decision on whether RPKI is necessary, you shouldn't have an objection to the site's existence.
"Did you know China could poison routing tables and see all your data?" "I don't do anything I care about them seeing." This is from a real conversation with your average non-tech individual. It is not a technology issue (today, you could use VPNs [WARP] and cryptography to create a mesh from end users to Cloudflare to server side endpoints and fail closed when BGP routing gets hijacked temporarily anywhere in the mesh), it is a privacy advocacy issue. Encouraging people to care is the hard part.
It may be that customers don't care when made aware - Cloudflare seems to think at least a few will, but I tend to agree many won't. "Customers have accepted the risk" was simply a laughable assertion.
If Cloudflare wants to go through the marketing exercise and isn't putting unnecessary workload on other providers, I take no issue.
While cloudflare may be protecting the WordPress instance from some attacks, your traffic is still flowing back to the host eventually. It's not like Cloudflare is keeping some of the data from the website. Whereas PayPal, Apple Pay et all actually do keep some of your information from the final party by assigning one time use payment info vs handing over a credit card number.
I tend to trust Cloudflare with this info
more than I trust the website itself
I guess someone at one of the "insecure" companies listed at https://isbgpsafeyet.com/ got a little sore?
are you “they”
Sure, Cloudflare can decrypt SSL traffic and send it to the origin server unencrypted, but that can be (and is) done without Cloudflare involved at all, and you aren't any safer that way.
The VPN claim is just basic facts about how a VPN works, but they're wrong in saying it won't protect you. It will, if your local network or ISP is untrustworthy.
And then it just ends with them complaining about the BGP vulns they were called out on.
> Sure, Cloudflare can decrypt SSL traffic and send it to the origin server unencrypted, but that can be (and is) done without Cloudflare involved at all, and you aren't any safer that way.
So because you could run an unsafe configuration without Cloudflare, it's ok for Cloudflare to offer it?
I think criticism of Cloudflare is often overblown, but it's not like they are perfect. Run agressive marketing, expect to get called out for your failings.
EDIT: apparently their own route validation also isn't that strict? https://twitter.com/Benjojo12/status/1251538757595148291
Isn't that the case with all VPNs? One of the most commonly VPN use cases is to create an encrypted tunnel between your connection and another server (VPN) so that it looks like your traffic is originating from that server.
Which VPN(s) doesn't allow another server to read your traffic? I thought a VPN connection has to have a VPN server which does this?
Instead, there's a mixture of the well-known (but valid!) MITM concerns and a hodgepodge of other crap. It would be better titled "my complaints about Cloudflare" but that's not good enough clickbait.
This deserves to be flagged.
"Cloudflare is shielding cybercriminals"
So? Criminals use many good services, it doesn't make the service bad.
"Scaring internet users into thinking their ISPs are insecure in the middle of a global pandemic"
ISPs ARE insecure because of this. The global pandemic has nothing to do with this. Do we get mad at CVEs all of sudden during a pandemic?
"Falsely advertising their VPN application"
It can be safer depending on the situation. If you need model closer to zero-trust (still not zero-trust though) use Tor.
> Cloudflare is shielding cybercriminals
Cloudflare has an abuse form https://cloudflare.com/abuse - CF also doesn't prohibit you from filing police reports with your local law enforcement, which CF will cooperate with upon receiving contact.
> Scaring internet users into thinking their ISPs are insecure in the middle of a global pandemic
> While this site is a parody, it may contain factual information. :) The author has no affiliation with Cloudflare, Inc.
no CloudFlare is not decrypting traffic
my lord as if a VPN tunnel is such a bad thing
“I’m unable to secure BGP at my shit ISP and now I blame cloudflare for my ineptitude and bad press”
Its like someone freaking out at whitecastle over the dangers of fast food and the environmental impact of beef. You're not necessarily wrong... just your aim is so wierd.